Home

xCP-SAML2-Okta

The instructions posted here are solely to help developers to understand the integration of Documentum xCP with any SAML IdaaS (Identity as a Service). Currently, there are limited articles on this, and it is quite challenging for new implementers. I have considered to use OKTA IdaaS provider as it is free for Developers and quite simple to learn advance features. Please refer OpenText xCP deployment guide before using this article. OpenText guides shows how to use ADFS, PingIdentity to implement SAML2, and have been used to signoff the releases.

Before you begin...

Please note that you have satisfied below points before proceeding.

• I have Documentum xCP 16.4 Patched stack up and running
• I have OKTA account to register SAML2 app
• I have test OKTA, Documentum users where OKTA's login_name corresponds to Documentum's user_login_name
• I have open firewall where communications between xCP App server and OKTA app is open
• I have DNS for xCP Application (Optionally, Windows hosts file can be used for this purpose)

1. Enable SSL on xCP App Server (Tomcat-8.5)

It is being assumed that your xCP App Server is running on Windows to make it easy for Windows lovers. If not, you can still use this guide either as-is by cloning your xCP App instance on Windows or by re-factoring the path etc. per Linux system.

1.a Create Keystore and Certificate files for xCP App Server

Lets assume that the dns name is 'xcpapp' for your application. Create the 'xcpapp.keystore' by executing the command below. Make sure PATH environment is pointing to your JRE.

Command Prompt

cd C:\apache-tomcat-8.5.60\conf

keytool -genkey ^
-alias xcpapp ^
-keyalg RSA ^
-keystore xcpapp.keystore ^
-storepass changeit ^
-keypass changeit ^
-dname "CN=xcpapp, OU=xcpapp, O=xcpapp, L=London, ST=London, C=GB"

Now, export the 'xcpapp.cer' certificate by executing the command below:

Command Prompt

cd C:\apache-tomcat-8.5.60\conf

keytool -export ^
-alias xcpapp ^
-keystore xcpapp.keystore ^
-file xcpapp.cer ^
-storepass changeit

Note: Place xcpapp.keystore and xcpapp.cer in C:\apache-tomcat-8.5.60\conf

1.b Import 'xcpapp.cer' certificate to xCP App Server's java truststore

Command Prompt

cd C:\apache-tomcat-8.5.60\conf

keytool -import -trustcacerts ^
-alias xcpapp ^
-keystore "%JAVA_HOME%\jre\lib\security\cacerts" ^
-file xcpapp.cer -storepass changeit

1.c (Optional if Client=App Server) Import 'xcpapp.cer' certificate to Client's (Browser) java truststore

Command Prompt

keytool -import -trustcacerts ^
-alias xcpapp ^
-keystore "%JAVA_HOME%\jre\lib\security\cacerts" ^
-file xcpapp.cer -storepass changeit

1.d Update 'C:\apache-tomcat-8.5.60\conf\server.xml' for SSL

<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
enableLookups="true"
sslProtocol="TLS"
keystorePass="changeit"
keystoreFile="C:\apache-tomcat-8.5.60\conf\xcpapp.keystore"
clientAuth="want"
secure="true"
scheme="https"
SSLEnabled="true"
maxThreads="150"/>

Restart the services and verify that the xCP App Server is accessible over SSL.

URL : https://xcpapp:8443/{xCP-App-Name}

Register xCP App on OKTA IdaaS

Follow the screenshots under OKTA Admin --> Applications

---